Windows Defender Technical Overview

Updated: February 8, 2007

Windows Defender is real-time protection software used for the detection and mitigation of spyware and other potentially unwanted software. It helps protect computers running Windows Vista, Microsoft Windows XP with Service Pack 2 (SP2), or Windows Server 2003 with Service Pack 1 (SP1). Windows Defender can be configured and used by the computer user or local administrator, or it can be configured and maintained by the system administrator. Windows Defender is automatically installed with Windows Vista. For computers running Windows XP with SP2 or Windows Server 2003 with SP1, Windows Defender must be installed manually. Windows Defender runs as a local service.

For manual configuration and maintenance information, see the Windows Defender Help, which is available locally when the software is installed.

Windows Defender and your security strategy

Windows Defender provides the following benefits:

Your users can monitor their computer's security, particularly on portable computers that may not have network or perimeter protection available at all times.

Either you, as the administrator, or your users can configure each individual computer for regularly scheduled scans to detect potentially unwanted software for evaluation and later removal.

Windows Defender offers three ways to help keep spyware and other potentially unwanted software from infecting the computers in your organization:

Real-time spyware protection. Windows Defender alerts the computer user when spyware or potentially unwanted software attempts to install or run on the computer. It also alerts the computer user when programs attempt to change important Windows settings.

Microsoft SpyNet community. With the online SpyNet community, you can learn how other people respond to software that has not yet been classified for risks.

Spyware scanning. You can use Windows Defender to scan for spyware and other potentially unwanted software that might be installed on the computer, to schedule scans on a regular basis, and to automatically remove any harmful software that is detected.

Determining the role for Windows Defender

Windows Defender can help you provide protection from spyware and other potentially unwanted software if you meet any of the following criteria:

Your organization relies on its computer users to manage and configure their own computers.

Your organization uses software for virus detection but does not have spyware protection.

Your organization does not rely on centrally managed administration of computers.

For all other installations, Microsoft Forefront Client Security helps guard against emerging threats, such as spyware and rootkits, as well as against traditional threats such as viruses, worms, and Trojan horses. Forefront Client Security integrates with your existing infrastructure software, such as Active Directory Domain Services (AD DS), and complements other Microsoft security technologies for better protection and greater control.

How Windows Defender works

Windows Defender is installed on each computer and is managed locally. It scans each object that is designated by the user and performs specified actions when spyware or other potentially unwanted software is found.

Windows Defender does not scan for cookies because there are many legitimate purposes for cookies.

Design of Windows Defender

Windows Defender identifies and removes spyware and other potentially unwanted software by using a definition database that details the characteristics of all known spyware and other potentially unwanted software. Each definition, commonly known as a signature, is unique to the individual spyware. The definition detail includes the names and paths of the files that the spyware installs and the changes made to critical areas of the operating system, including the Windows registry. In addition, the definitions contain expert advice and information to help users make informed removal decisions. The definition database is continuously updated to keep up with current threats.

The scanning engine uses the current spyware definition list to evaluate each designated object and determine whether it matches any on the list.

Windows Defender works with Windows Update to automatically install new definitions as they are released. You can also configure Windows Defender to check online for updated definitions before scanning and to send information to the SpyNet community about detected software that is not yet classified for risks.

Components of Windows Defender

Windows Defender is composed of two main components: the scanning engine and Software Explorer.

The scanning engine relies on the currently installed definitions as it evaluates each object. You can refine the configuration to be used by the scanning engine through the Tools and Settings utility. Settings include automatic scanning configuration, default actions configuration, real-time protection agents, advanced options, and local administrator options.

Software Explorer helps you monitor specific types of programs and providers, and identifies information about each program listed to help you understand the source and purpose of each program.

Scanning engine settings and alert actions

When you configure Windows Defender, you can choose which types of scans to run, how often to run the scans, and which actions to take against the identified software.

Scanning and resultant action settings

Quarantine

When Windows Defender quarantines software, it moves the software to another location on your computer, which is, by default, <drive>:\ProgramData\Microsoft\Windows Defender\Quarantine. This prevents the software from running until the user chooses to restore the software or remove it from the computer.

Allowed

When software is added to the allowed list, Windows Defender allows it to run on the computer. Windows Defender will stop alerting the user to risks that the software might pose to the user's privacy or the computer. Add software to the allowed list only if you trust the software and the software publisher.

For more information about automatic scanning and actions, see the Windows Defender Help.

Protection agents

Real-time protection alerts you when spyware and other potentially unwanted software attempts to install or run on your computer. You are also alerted if programs attempt to change important Windows settings.

The following table explains each real-time protection agent. For further information, see the Windows Defender Help.

Real-time protection agent

Purpose

Auto Start

Monitors lists of programs that are allowed to run automatically when you start your computer.

System Configuration (Settings)

Monitors security-related settings in Windows.

Internet Explorer Add-ons

Monitors programs that run automatically when you start Internet Explorer.

Internet Explorer Configurations (Settings)

Monitors browser security settings, which help protect against malicious content on the Internet.

Internet Explorer Downloads

Monitors files and programs that are designed to work with Internet Explorer, such as ActiveX controls and software installation programs.

Services and Drivers

Monitors services and drivers as they interact with Windows and your programs.

Application Execution

Monitors when programs start and any operations they perform while running.

Application Registration

Monitors tools and files in the operating system where programs can register to run at any time.

Windows Add-ons

Monitors add-on programs (also known as software utilities) for Windows.

Advanced settings

Advanced settings allow you to configure Windows Defender to target specific files or behaviors so that you can better detect problems and manage mitigation.

The following table describes each setting.

Setting

Purpose

Scan the contents of archived files and folders for potential threats

Targets the scan to files and folders not normally inspected, such as those generated with .zip files.

Use heuristics to detect potentially harmful or unwanted behavior by software that has not been scanned for risks

Instructs Windows Defender to attempt to detect suspicious software without a known signature based on certain predefined characteristics. The risk of enabling this setting is that legitimate software may be quarantined as suspicious.

Create a restore point before applying actions to detected items

Uses Windows System Restore to create a restore point before applying changes. Creating a restore point allows the user to select a point in time in order to undo the changes and restore the system to its condition at the time marked by the restore point.

Excluded files or locations

Creates a list of excluded files, folders, or drives to allow the user to target the scan based on specific needs. For instance, if you write scripts or develop software, this setting can exclude from scanning those source files that you change frequently.

Local administrator options

Administrator options allow you to individually configure each installation of Windows Defender. The following table describes each setting.

Setting

Purpose

Use Windows Defender

When running, all users on this computer are alerted if spyware or other potentially unwanted software attempts to run or install itself on the computer. Windows Defender will check for new definitions to regularly scan the computer and automatically remove harmful software detected by a scan.

Allow everyone to use Windows Defender

Allow all users of the computer to scan, choose actions to apply to potentially unwanted software, and review all Windows Defender activities. This works in conjunction with User Account Control.

The Microsoft SpyNet community

Microsoft SpyNet is an online community that helps users choose how to respond to potential spyware threats. The community also helps stop the spread of new spyware infections. Participation in the SpyNet community is optional and is configured on a per-computer basis. If you choose to participate in the SpyNet community, you can select one of two options to control the amount of information transferred between Microsoft and the computer regarding suspicious software that Windows Defender detects.

The following table describes what type of information is transferred for each level of participation in the Microsoft SpyNet community.

Setting

Information sent to Microsoft

Basic membership to the SpyNet community

Source of software, such as company name

Actions applied (by the user and Windows Defender)

Results of actions: Success or failure

Operating system version

IP address

Web browser software and version

Note

In some instances, personal information might unintentionally be sent to Microsoft; however, Microsoft will not use this information to identify you or contact you. For further information, see the Windows Defender Privacy Statement (http://go.microsoft.com/fwlink/?LinkID=71539).

With basic membership, Windows Defender does not alert you if it detects software or changes made by software that has not yet been analyzed for risks.

Advanced membership to the SpyNet community

File name(s) of detected software

Source of software, such as company name

The operation that the software is attempting to perform

Software impact on the computer (what the likely result will be if the software were to run)

Actions applied (by the user and Windows Defender)

Results of actions: Success or failure

Note

In some instances, personal information might unintentionally be sent to Microsoft; however, Microsoft will not use this information to identify you or contact you. For further information, see the Windows Defender Privacy Statement (http://go.microsoft.com/fwlink/?LinkID=71539).

With advanced membership, Windows Defender alerts the computer user to take action against software that has not yet been analyzed for risks.

Software Explorer

Software Explorer helps you monitor the following items:

Startup programs, which are programs that run automatically when you start Windows, with or without your knowledge.

Currently running programs, which are programs that are currently running onscreen or in the background.

Network-connected programs, which are programs or processes that can connect to the Internet or to your home or office network.

Winsock service providers, which are programs that perform low-level networking and communication services for Windows and programs that run on Windows. These programs often have access to important areas of the operating system.

It also provides the details about each program listed, including the classification, publisher, digital signature, installation date, and location.

Logged events

Whenever Windows Defender takes a specific action such as detecting or removing spyware, or when installing new definition updates, Windows Defender creates a new event in the Windows event log. You can review or audit previous actions by searching for events created by Windows Defender in Event Viewer.

The Windows Live OneCare safety scanner is a free service that can help you protect, clean, and optimize the performance of your computer. For more information, see the Windows Live OneCare safety scanner (http://go.microsoft.com/fwlink/?LinkId=80042).